[Transcript] Episode 501: What We’re Keeping an Eye on and What You Need to Know That Will Be Impactful to Your Practice in 2025

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to this first episode of the new year, Episode 501: What We’re Keeping an Eye on and What You Need to Know That Will Be Impactful to Your Practice in 2025.

 

Liath Dalton 

Indeed, yes. Welcome to the new season, and the new year of Group Practice Tech. Today, we’re going to be talking about the stories and developments and regulatory and sort of practice landscape changes that are noteworthy and impactful and that we’re going to be staying on top of so that we can keep you informed about related action items, so that you can be prepared and proactive and in compliance with any required changes that you should be making, and wanted to sort of foreshadow a bit what’s what’s forthcoming.

 

Liath Dalton 

We’ll be giving you some highlights related to each topic or area that we’re keeping an eye on, and then we’ll be doing deeper dives devoted to each one in forthcoming episodes. So that’s the little spiel about what, what the episode is going to contain, and what the future, some of the future episodes for this season will contain, and how they relate to your practice.

 

Liath Dalton 

So with all that said, let’s dive in, and I want to start by saying thank you for joining us and for continuing to utilize Person Centered Tech as a supportive resource for managing your practice. We know that it’s an intense time to be running a practice and navigating all of these changes, while still centering client care and hopefully also a healthy work life balance for for you as practice leader. So we’re grateful to be able to continue to play a supportive role in that.

 

Liath Dalton 

All right, the one of the really big stories is actually that there has recently been a proposed change to the HIPAA Security Rule, which has not been changed since the Omnibus Rule in 2016 right? So it has been nine years, essentially, since there have been any changes to the Security Rule. Of course, in practice, how people meet the existing requirements of the Security Rule has really evolved in that timeframe.

 

Liath Dalton 

But because the threat landscape has evolved so rapidly, and we’ve been seeing the really serious consequences of those threats being realized in practice, and those implications, some really specific updates are required. And so the proposed rule changes are available, we’ll be linking to those in the show notes. The good news is that for those of you that are using PCTs customizable template, HIPAA Security Policies and Procedures and HIPAA Manuals, like 99% of those pieces are already explicitly addressed in those materials.

 

Liath Dalton 

But in general, what previously was introduced in 2024 as recommended cyber security measures are being proposed to be changed from recommended to required to explicitly required, so no longer optional. And there are a couple other noteworthy aspects as well. Evan, do you want to speak directly to some of those?

 

Evan Dumas 

Oh, yeah, some of the aspects are that, you know, we recommended people to do risk analyses every year, and now they’re saying do risk analyses every year, because it’s going to be like a requirement, which is lovely. Some other little bits added in here about having asset inventories, which is great. We already talked about the requirement for multifactor authentication being true everywhere, which is really good. There’s some changes in deadlines to things, like 72 hours, like written procedures of how to restore from outages. And like, know that you can, that type of thing. So, you know, we’ve always advocated for contingency plans, but they finally gave time frames on what they want to see from that which is really, really nice.

 

Liath Dalton 

Exactly. And for, once, the, it is confirmed that the rules as proposed are going into effect, we will be updating the customizable template materials to include those specifications right? And for those of you that are already utilizing our customizable template materials, though, we will share those updates with you along with guidance on how to incorporate them into your existing materials in the most efficient and streamlined fashion, so it’s not too onerous of a process.

 

Liath Dalton 

But it will require really minimal change for those of you who are already on the PCT Way path with your practice, and if you aren’t yet, a good action item, would be to start working your way through that process, as all of these things are going to become explicit requirements, and so there isn’t sort of an optional element to them, and it’s going to be really necessary to be adhering to them.

 

Liath Dalton 

And I want to take a moment to again reiterate something that we often do, which is that these regulatory requirements are not arbitrary, right?

 

Evan Dumas 

No.

 

Liath Dalton 

They may feel that way to an extent, because they are in tech and security and legal-ese lingo, but they really do provide a supportive framework with the best specificity that we can get for managing the in practice risks.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And again, those in practice risks are things that materially impact the confidentiality and security and integrity of your clients’ information. So something that, aside from the HIPAA requirements that you are ethically required to be safeguarding as well.

 

Liath Dalton 

And safeguarding client info in that way has important clinical implications too, because failure to safeguard it can lead to client harm, and that’s something we’ve been seeing more examples of with the different breaches that occurred in the last year in particular, can impact not just the therapeutic alliance, but actual clinical care outcomes in a pretty substantial way. So protecting your clients and their info is also then protecting your practice, and that’s something I know all of you listeners are really committed to.

 

Liath Dalton 

So that brings us to one of our next stories that is noteworthy, which is that the OCR, the Office of Civil Rights, the HIPAA regulators, have just resumed their HIPAA compliance audit program. And, Evan, when was the last time they were actually doing audits?

 

Evan Dumas 

Gosh, was that okay? It’s either it, was it 2017 or 2013?

 

Liath Dalton 

2017, yep.

 

Evan Dumas 

Oh my gosh, yeah.

 

Liath Dalton 

So they have not been doing those random audits since 2017. Now, the before you start worrying that the HIPAA regulators are going to come knocking on your door and your practice is likely to be selected for for one of these audits, they are limiting the number of audits to 50. That’s five zero. So considering the number of HIPAA covered entities, and that HIPAA covered entities include both solo practitioners, you know, group practices, hospital organizations, clearinghouses, we feel it is fairly safe to assume that they are going to be focusing on the larger

 

Evan Dumas 

Yeah.

 

Liath Dalton 

HIPAA covered entities whose lack of security and compliance has the ability to be more significantly harmful to clients and patients. I think part of what precipitated this audit program resumption was really related to the Change Healthcare breach in 2024 and the massive fallout that that had across kind of all sectors of healthcare service provision, from pharmacies to hospitals and surgeons to solo practitioners.

 

Evan Dumas 

Oh my gosh, so many.

 

Liath Dalton 

But we do have one really relevant takeaway from what they’re focusing on in those audits, and it is oriented around the risk management and risk analysis standards of the Security Rule, and no doubt, also is going to, they’ve explicitly stated that thus far, but the cyber security provisions are also going to feature heavily, because part of the threats that have been most realized and most significantly harmful are related to hacking and unauthorized access of PHI.

 

Liath Dalton 

So again, part of why they’re highlighting the importance of multifactor authentication and safeguards that are preventative of that sort of thing from being able to occur, as well as data backups that preserve the accessibility and integrity of PHI.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So what that translates to for you, listener, is just being sure that you’re on on top of those standards, right?

 

Liath Dalton 

There are some other stories that aren’t explicitly HIPAA related, Medicare related and telehealth related and AI related, that we’re going to get into in a minute, but I want to sort of finish up the HIPAA related stories and foreshadowing of what’s forthcoming and what’s impactful.

 

Liath Dalton 

So two other big changes happened in 2024, one at the very end of 2024 related to changes to the Privacy Rule and additional provisions therein. And one of those relates to CFR 142, part 2e, which is quite a mouthful, and really what that is related to is substance use disorder treatment PHI, and that is kind of the most restrictive component of HIPAA in terms of what can be released and disclosed and how and what the requirements are around there.

 

Liath Dalton 

Some of those provisions have actually been lessened to an extent in order to help manage kind of continuity of care and provision of care without undue burden, while still keeping the reasonable safeguards in place and the sort of compliance requirements with those provisions. One piece of it entails updating your HIPAA Noticeof Privacy Practices to address those changes. Now, thankfully, in part, because the HHS has not released yet an updated model NPP and their model NPP is really the gold standard, and what we recommend practices utilize as the template for for their NPP, the requirement for covered entities to provide updated NPPs is not until 2026. So why we’re bringing this up now is so that you have time to get prepared to be in compliance with it when that requirement is in effect.

 

Liath Dalton 

And related to that, you also will need to be updating your NPP to address the safeguards for reproductive rights and for PHI releases related to any reproductive care or discussion of reproductive care. On the topic of reproductive rights, though, and that new legislation that has gone into effect, there is a requirement that anytime a request for PHI is made that may include PHI related to reproductive care or discussion of reproductive care, that an attestation is required to accompany that. So check out the show notes for a link to that model attestation. And that’s present and in effect now, but the NPP component of things is not until 2026.

 

Liath Dalton 

So we’ll again be doing a dedicated episode to this. And we also have a training related to clinical documentation in a post-Roe world. So we’ll include the the link to that on demand CE training for you as a another optional resource. But do check out for sure the attestation and template to be utilizing.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Yeah. So those are the big HIPAA stories and changes and kind of action items that are related to them. Another big topic, and one that we’ve been getting a lot of questions about, is related to Medicare, because there were, thanks to COVID, one of the silver linings of of the pandemic, all of these exceptions that were made initially on a temporary basis for telehealth provision. Evan, what are some of the best of those exceptions?

 

Evan Dumas 

Yeah, that you didn’t need an in person visit to start like a relationship with a provider. You didn’t need to go to some facility, that you could do it from the comfort of your own home.

 

Liath Dalton 

Exactly, and that they would cover virtual sessions for behavioral health care services when the client or patient was at their home. That the home now qualified as, what’s termed in their language, as an originating site, rather than having to go to a designated facility that had been certified as an originating site. So that change was huge, because it massively opened up access, and thankfully that exception is continuing, as is their coverage for audio only telehealth provision for behavioral health care services.

 

Liath Dalton 

So being able to continue to deliver care to clients in their home from your practice location or your home office continues, as does audio only coverage. What is up in the air currently is the in person assessment. Where there there is an exception for if it is too risky or places an undue burden, in the assessment, of both client, patient and and provider. But the specifics of that feel kind of fuzzy, and folks are understandably wary of relying on that.

 

Liath Dalton 

So initially, the waiver of the in person assessment requirement was set to expire at the end of 2024. hat has now been extended until March 31 2025. So, we have through Q1 for the three different pieces of proposed legislation that would make that permanent, to hopefully go through.

 

Evan Dumas 

Hopefully.

 

Liath Dalton 

And there’s a lot of speculation as well that it may be that if one of those three pieces of legislation don’t go through, and it isn’t extended on a permanent basis, that another kind of last minute extension may go through. But if your practice is a Medicare provider and works with Medicare covered clients, the fact that that provision, and exception may expire, needs to be on on your radar, so that if that does happen, you are prepared to be able to manage that and do so in a way that doesn’t disrupt the provision of client care as well.

 

Liath Dalton 

On the subject of telehealth, also want to share that I know those of you who are counselors or have licensed counselors as clinical providers in a group practice and provide telehealth have really been wondering about when the Counseling Compact is going to go into effect and when they will start actually granting practice privileges. Previously, that was estimated to occur by the end of 2024 now that is shifted to by the end of 2025. But the sort of good news is that, since we last gave a little update on this, the Counseling Project, who is responsible for implementing the infrastructure for it, did a actual demo of their minimum viable product for the system that’s going to manage all of this. So it is moving forward measurably and and the you know application to obtain practice privileges should open within this year, but it is not yet in effect. The other development as well is that there are now 37 member states to the Counseling Compact, so it’s going to be pretty awesome when it does go into effect. And I imagine that even more states will join between now and the time than it does, in fact, go into effect.

 

Evan Dumas 

Yeah, I hope so.

 

Liath Dalton 

Yes.

 

Evan Dumas 

Poor Marriage and Family therapy workers.

 

Liath Dalton 

I know, it’s really brutal. The Social Work Compact, Licensure Compact is is also progressing forward, though they have less specificity around ETA for when the applications and practice privilege granting will occur than the Counseling Compact, but we’re keeping an eye on that. And we will be updating our teletherapy practice rules by state tool to reflect the compact status for both the Counseling Compact Social Work Compact and keeping the PSYPACT designations updated and current as well as all those are kind of continually shifting pieces.

 

Liath Dalton 

And then we would be remiss if we didn’t talk about another area that we are keeping an eye on and that really has implications for all healthcare providers and practices. What might that be?

 

Evan Dumas 

Oh, that’s still buzzword, AI.

 

Liath Dalton 

Yes. So there are a lot of moves by different regulatory bodies, including even the FDA, to specify regulation around AI utilization in healthcare provision. There are many stakeholders, and this is a, you know, not only is AI utilization and availability proliferating everywhere, but the move to try to catch up to that proliferation on a regulatory basis, to provide the necessary legal and ethical provisions and safeguards, is is occurring and emerging.

 

Liath Dalton 

So as there is proposed specific regulation, and as that has specificity around what you can and cannot do, or should or should not do, as a healthcare practitioner, we’ll be informing you of of those changes, and that that news. In the meantime, following the legal, ethical recommendations that we and Eric Strom, the teletherapy and HIPAA attorney and American Mental Health Counseling Association Ethics Committee Member provided in our training on AI utilization is going to be kind of the the basis. Because, to date, only one of the professional ethics codes, that the AMHCAupdated their ethics codes explicitly, but we can draw on each of the ethics codes other standards to guide how AI can and cannot be utilized and how to do it in a ethical and appropriate way.

 

Evan Dumas 

Yeah, we should.

 

Liath Dalton 

So, we’re not, we’re not, we’re not alone like we aren’t without resources and guidance to to draw on. It’s just that there will be more forthcoming, and what’s forthcoming will be even more explicit, but we need to be very intentional and diligent right now, and every moment going forward, in how it’s it’s utilized.

 

Liath Dalton 

So be be aware of that, and also to that end, one of the projects that we are working on at PCT and will soon be releasing is a policy insert to go with our customizable Policy and Procedure materials and manuals that explicitly addresses AI utilization, adoption and correct usage. So, stay tuned for that as well.

 

Liath Dalton 

So those are the the main stories. There are definitely other stories and and topics that we will be addressing throughout the season, but that’s the kind of initial lay of the land for the things that are going to be kind of most significantly impactful.Anything that you would add, Evan? Probably telling folks to take a break, a breath and not be overwhelmed.

 

Evan Dumas 

Well, I mean, that’s all we know right now. Like these are the things that have been coming down the pike, and we’ve made aware of but that’s also to say that, you know, a lot of regulatory changes might be happening, and we’re going to keep you abreast of those too.

 

Evan Dumas 

So just stay tuned and let us do the analysis and keep up with the news. So you know, if you see worrying articles on pop culture news sites, things like that, know, there’s always more to it, and we’re getting it right from the good sources. So come to us, and we’ll help either assuage fears or validate them.

 

Liath Dalton 

And if we validate them, our goal is always to then provide the specific steps and resources to help you in taking those steps that will cover your your bases and needs with whatever the scary thing is or significant thing is that that requires taking some sort of action.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So with that, thank you for joining us. We hope that this year and season is a strong one for your practice, and look forward to being a part of that.

 

Evan Dumas 

Yeah, always looking forward to help.

 

Liath Dalton 

We’ll chat to you good folks next time.

 

Evan Dumas 

Yeah, talk to everybody later.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.